{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":61219754,"defaultBranch":"master","name":"upspin","ownerLogin":"upspin","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2016-06-15T15:39:17.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/11708310?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1713565179.0","currentOid":""},"activityList":{"items":[{"before":"3f1964b7cfdc641e1b7fd7683d5f9ada442531a2","after":"70e5bc8005f9c37cc362db0ef214b3a83c1c4b8f","ref":"refs/heads/master","pushedAt":"2024-04-20T00:16:26.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"adg","name":"Andrew Gerrand","path":"/adg","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8446613?s=80&v=4"},"commit":{"message":"Merge pull request #664 from upspin/cve-2024-2687\n\ngo.mod: update x/net to get security patch","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2254113342\" data-permission-text=\"Title is private\" data-url=\"https://github.com/upspin/upspin/issues/664\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/upspin/upspin/pull/664/hovercard\" href=\"https://github.com/upspin/upspin/pull/664\">#664</a> from upspin/<a title=\"CVE-2024-2687\" data-hovercard-type=\"advisory\" data-hovercard-url=\"/advisories/GHSA-3pm4-9c7g-c576/hovercard\" href=\"https://github.com/advisories/GHSA-3pm4-9c7g-c576\">cve-2024-2687</a>"}},{"before":null,"after":"15625e0db55c2fe5c12673ae44536aae8da0c6d2","ref":"refs/heads/cve-2024-2687","pushedAt":"2024-04-19T22:19:39.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"go.mod: update x/net to get security patch\n\nUpspin.io's GCP servers may be vulnerable to the flood attack recently patched.\nLet's cite the new version and then I'll redeploy our servers, ideally before\nwe actually get attacked.","shortMessageHtmlLink":"go.mod: update x/net to get security patch"}},{"before":"f9353274f37d113a8c3a7d75e140d27e6af7b6a4","after":"3f1964b7cfdc641e1b7fd7683d5f9ada442531a2","ref":"refs/heads/master","pushedAt":"2024-04-01T20:41:27.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"access_control.md: correct markdown formatting\n\nAdded the missing backquotes, thanks to suggestion from \tAlan Urmancheev.\r\n\r\nFixes #663.","shortMessageHtmlLink":"access_control.md: correct markdown formatting"}},{"before":"f8d92f05b6093f1b1e3aa2ebe350ace69761728f","after":"f9353274f37d113a8c3a7d75e140d27e6af7b6a4","ref":"refs/heads/master","pushedAt":"2024-03-20T18:31:08.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"Merge pull request #657 from testwill/ioutil\n\nchore: remove refs to deprecated io/ioutil","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1991796070\" data-permission-text=\"Title is private\" data-url=\"https://github.com/upspin/upspin/issues/657\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/upspin/upspin/pull/657/hovercard\" href=\"https://github.com/upspin/upspin/pull/657\">#657</a> from testwill/ioutil"}},{"before":"3a9eca186db881bf68a1c5c57e4bd0718c01f207","after":"f8d92f05b6093f1b1e3aa2ebe350ace69761728f","ref":"refs/heads/master","pushedAt":"2024-03-16T04:11:29.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"robpike","name":"Rob Pike","path":"/robpike","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/4324516?s=80&v=4"},"commit":{"message":"Merge pull request #662 from upspin/protobuf\n\ngo.mod: update protobuf version to get security patch","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2189719474\" data-permission-text=\"Title is private\" data-url=\"https://github.com/upspin/upspin/issues/662\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/upspin/upspin/pull/662/hovercard\" href=\"https://github.com/upspin/upspin/pull/662\">#662</a> from upspin/protobuf"}},{"before":null,"after":"019cd19a31fd034d0964788ec1e80a4b3939f48e","ref":"refs/heads/protobuf","pushedAt":"2024-03-16T02:40:32.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"go.mod: update protobuf version to get security patch\n\nWe're still using the older version of protobuf from before 2020, but\nthere is a security patch for the new version we should pick up (as\nan indirect dependency) found by \"go mod tidy\".\n\nAccording to Damien Neil's golang-announce post 2024-03-08,\nwe also need to update to v1.5.4 of the old protobuf, as done here.","shortMessageHtmlLink":"go.mod: update protobuf version to get security patch"}},{"before":"d7a568b4ada9e4c64168468a0de0e380a21fd19d","after":"3a9eca186db881bf68a1c5c57e4bd0718c01f207","ref":"refs/heads/master","pushedAt":"2024-02-29T20:22:04.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"overview.md: reword statement of what directory server sees\n\nFixes #644.","shortMessageHtmlLink":"overview.md: reword statement of what directory server sees"}},{"before":"6a12f1f1bff235c018fabb31ee35628cb5965909","after":"d7a568b4ada9e4c64168468a0de0e380a21fd19d","ref":"refs/heads/master","pushedAt":"2024-02-16T20:43:21.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"Merge pull request #660 from oec/master\n\nclient: fix endless loop in TestFileSeek","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2133079005\" data-permission-text=\"Title is private\" data-url=\"https://github.com/upspin/upspin/issues/660\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/upspin/upspin/pull/660/hovercard\" href=\"https://github.com/upspin/upspin/pull/660\">#660</a> from oec/master"}},{"before":"c4c99251c3d45affc7ba1fed2707508e90f18726","after":"6a12f1f1bff235c018fabb31ee35628cb5965909","ref":"refs/heads/master","pushedAt":"2023-10-16T18:48:05.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"go.mod: more security updates","shortMessageHtmlLink":"go.mod: more security updates"}},{"before":"204322b78a9c8d54a0a7693cf8bb5cd404e752da","after":null,"ref":"refs/heads/go-security","pushedAt":"2023-10-16T05:11:31.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"}},{"before":"bc8d3d2c4c71b4e2f7bbec97ac340d71c4133a4c","after":"c4c99251c3d45affc7ba1fed2707508e90f18726","ref":"refs/heads/master","pushedAt":"2023-10-16T05:11:10.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"Merge pull request #656 from upspin/go-security\n\ngo.mod: bring in recent Go security fixes","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1944180115\" data-permission-text=\"Title is private\" data-url=\"https://github.com/upspin/upspin/issues/656\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/upspin/upspin/pull/656/hovercard\" href=\"https://github.com/upspin/upspin/pull/656\">#656</a> from upspin/go-security"}},{"before":null,"after":"204322b78a9c8d54a0a7693cf8bb5cd404e752da","ref":"refs/heads/go-security","pushedAt":"2023-10-16T01:28:03.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"go.mod: bring in recent Go security fixes","shortMessageHtmlLink":"go.mod: bring in recent Go security fixes"}},{"before":"61262d645c848fde2f4a71c88aaa19b60ad2ee7d","after":"bc8d3d2c4c71b4e2f7bbec97ac340d71c4133a4c","ref":"refs/heads/master","pushedAt":"2023-07-16T23:34:16.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"Merge pull request #655 from upspin/file-readat\n\nclient: ReadAt, Read fixes","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1806659212\" data-permission-text=\"Title is private\" data-url=\"https://github.com/upspin/upspin/issues/655\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/upspin/upspin/pull/655/hovercard\" href=\"https://github.com/upspin/upspin/pull/655\">#655</a> from upspin/file-readat"}},{"before":"7321e7d0a572cd3980b212de685839d166a460eb","after":"95c579d9024c63e9853388eb11100ada3fcdc382","ref":"refs/heads/file-readat","pushedAt":"2023-07-16T17:24:25.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"client: fix ReadAt err for short read.\n\nWhen ReadAt returns fewer bytes than requested, it is supposed to\nreturn io.EOF rather than nil.\n\nThere are four possible cases when returning from readAt:\n1. n==len(dat), err==nil\n    All bytes are valid; last one may be at EOF.\n2. n<len(dst), err==io.EOF\n    All bytes are valid; last one is at EOF.\n3. n==0, err==io.EOF\n    All is well; nothing more to read.\n4. n==0, err!=nil && err!=io.EOF\n    There was actually a problem the caller needs to deal with.\nIn all of these cases, Read should just increment the offset by n.\nSo we've fixed two bugs in file.go, in readAt and in Read.\n\nAt the same time we need to fix a bug in TestZeroFill; the specification\nof Read allows returning err as either nil or io.EOF so we should allow\neither one.\n\nThe previous commit added a simple check in TestFileRandomAccess\nthat catches the readAt bug. Stdlib's recently added iotest.TestReader\nwould also have caught this. It doesn't spot any other problems at\nthe moment, but seems wise to include in our testing.\n\nFixes #648.\nFixes #650.\n\nDoes not fix #654. I don't understand TestFileSeek enough to\npropose any fix other than checking for len(written)!=Max inside\nthe for whence loop. But even that is not enough to make it run\nat reasonable speed. It would be great if we could just toss tests\nlike that in favor of iotest or a more extensive version. If someone\nsees how to improve TestIotest to make that possible, comments\nare especially welcome.","shortMessageHtmlLink":"client: fix ReadAt err for short read."}},{"before":null,"after":"7321e7d0a572cd3980b212de685839d166a460eb","ref":"refs/heads/file-readat","pushedAt":"2023-07-16T05:15:25.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"client:/file: test File.ReadAt, skip TestFileSeek\n\nAs noted in #648, the ReadAt implementation in client/file/file.go\nshould return err io.EOF upon short read. This change adds a test\nto warn of that bug.\n\nBut currently we can't run \"go test\" in client/ because TestFileSeek\ntimes out. Ideally we'd fix the test, but that will require a lot of\ndiscussion. For now, just add a provision to skip via \"go test -short\".\nIssue #654 filed.","shortMessageHtmlLink":"client:/file: test File.ReadAt, skip TestFileSeek"}},{"before":"2e9b9d0554e67ecd79974c0a67dfc9de7b9bbfc4","after":"61262d645c848fde2f4a71c88aaa19b60ad2ee7d","ref":"refs/heads/master","pushedAt":"2023-07-15T22:34:18.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"Merge pull request #653 from upspin/revert-649-ReadAt\n\nRevert \"client: fix ReadAt err for short read.\"","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1806356015\" data-permission-text=\"Title is private\" data-url=\"https://github.com/upspin/upspin/issues/653\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/upspin/upspin/pull/653/hovercard\" href=\"https://github.com/upspin/upspin/pull/653\">#653</a> from upspin/revert-649-ReadAt"}},{"before":null,"after":"d617695232c22e2de6ccd56372eebadb0bd15608","ref":"refs/heads/revert-649-ReadAt","pushedAt":"2023-07-15T22:34:01.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"Revert \"client: fix ReadAt err for short read.\"","shortMessageHtmlLink":"Revert \"client: fix ReadAt err for short read.\""}},{"before":"c6b894a7f8971804c2bd0532e5b08e321707aafc","after":"2e9b9d0554e67ecd79974c0a67dfc9de7b9bbfc4","ref":"refs/heads/master","pushedAt":"2023-07-15T22:33:26.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"Merge pull request #652 from upspin/revert-651-ReadAt\n\nRevert \"client: fix Read after ReadAt change\"","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1806355826\" data-permission-text=\"Title is private\" data-url=\"https://github.com/upspin/upspin/issues/652\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/upspin/upspin/pull/652/hovercard\" href=\"https://github.com/upspin/upspin/pull/652\">#652</a> from upspin/revert-651-ReadAt"}},{"before":null,"after":"fc2d9952be787ed32d8bd674a72d0ad735fe8fd4","ref":"refs/heads/revert-651-ReadAt","pushedAt":"2023-07-15T22:32:51.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"Revert \"client: fix Read after ReadAt change\"","shortMessageHtmlLink":"Revert \"client: fix Read after ReadAt change\""}},{"before":"260c23d05679830f5287aa10d4c7238b73419ffa","after":"c6b894a7f8971804c2bd0532e5b08e321707aafc","ref":"refs/heads/master","pushedAt":"2023-07-15T21:09:02.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"Merge pull request #651 from upspin/ReadAt\n\nclient: fix Read after ReadAt change","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1806332218\" data-permission-text=\"Title is private\" data-url=\"https://github.com/upspin/upspin/issues/651\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/upspin/upspin/pull/651/hovercard\" href=\"https://github.com/upspin/upspin/pull/651\">#651</a> from upspin/ReadAt"}},{"before":"cb2953edacbc0f3b6e6fc834a99b60cae2d852f1","after":"8139b7a32e4dfec14b48111e22d437c217595c1c","ref":"refs/heads/ReadAt","pushedAt":"2023-07-15T21:07:10.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"client: fix Read after ReadAt change\n\nMy PR #649 unintentionally changed the behavior of Read.\nThis commit is an interim change to repair the immediate\ndamage while I consider a more complete fix. It passes\ngo test -test.run TestFileRandomAccess\nas before and now also passes\ngo test -test.run TestFileZeroFill\nbut still times out on\ngo test -test.run TestFileSeek\nso definitely should not be considered a complete fix.\n\nMore to come, but I'll merge this without review in an attempt\nto minimize impact on any folks not following the discussion.","shortMessageHtmlLink":"client: fix Read after ReadAt change"}},{"before":"fb7b36a5270faff958f057b04603453d74092ef6","after":"260c23d05679830f5287aa10d4c7238b73419ffa","ref":"refs/heads/master","pushedAt":"2023-07-14T21:26:22.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"robpike","name":"Rob Pike","path":"/robpike","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/4324516?s=80&v=4"},"commit":{"message":"Merge pull request #649 from upspin/ReadAt\n\nclient: fix ReadAt err for short read.","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1805150097\" data-permission-text=\"Title is private\" data-url=\"https://github.com/upspin/upspin/issues/649\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/upspin/upspin/pull/649/hovercard\" href=\"https://github.com/upspin/upspin/pull/649\">#649</a> from upspin/ReadAt"}},{"before":null,"after":"cb2953edacbc0f3b6e6fc834a99b60cae2d852f1","ref":"refs/heads/ReadAt","pushedAt":"2023-07-14T16:25:52.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"client: fix ReadAt err for short read.\n\nWhen ReadAt returns fewer bytes than requested, it is supposed to\nreturn io.EOF rather than nil.\n\nFixes #648.","shortMessageHtmlLink":"client: fix ReadAt err for short read."}},{"before":"f38fa2954c6be9be919a1dcaf0d109a86d6c8938","after":"fb7b36a5270faff958f057b04603453d74092ef6","ref":"refs/heads/master","pushedAt":"2023-07-04T21:31:32.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"n2vi","name":"Eric Grosse","path":"/n2vi","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/8402874?s=80&v=4"},"commit":{"message":"Merge pull request #643 from Abirdcfly/master\n\ncmd/upspin: delete minor unreachable code caused by t.Fatal","shortMessageHtmlLink":"Merge pull request <a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"1332986282\" data-permission-text=\"Title is private\" data-url=\"https://github.com/upspin/upspin/issues/643\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/upspin/upspin/pull/643/hovercard\" href=\"https://github.com/upspin/upspin/pull/643\">#643</a> from Abirdcfly/master"}},{"before":"6164fd1ee34e196778717dfd1351bc30161f6a8b","after":"f38fa2954c6be9be919a1dcaf0d109a86d6c8938","ref":"refs/heads/master","pushedAt":"2023-06-25T22:40:15.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"AugieBot","name":"Augie","path":"/AugieBot","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/26911405?s=80&v=4"},"commit":{"message":"doc: adopt Apache 2.0 License, drop googlesource.com references\n\nAs the Upspin project is being moved out of Google's purview, switch to\nthe more widely-used and understood Apache 2.0 license and remove the\nPATENTS file. Also update some references to the googlesource.com repo\nand Gerrit to mention Github and Pull Requests instead.\n\nChange-Id: If1e37060d304731a082c3f8cd170280052aa033a\nReviewed-on: https://upspin-review.googlesource.com/c/upspin/+/19820\nReviewed-by: Rob Pike <r@golang.org>\nReviewed-by: Hilary Richardson <rhilary@google.com>\nReviewed-by: Eric Grosse <grosse@gmail.com>","shortMessageHtmlLink":"doc: adopt Apache 2.0 License, drop googlesource.com references"}},{"before":"67e250ec27d8878c0009213b8e32c6803f2727ea","after":"6164fd1ee34e196778717dfd1351bc30161f6a8b","ref":"refs/heads/master","pushedAt":"2023-06-22T22:40:15.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"AugieBot","name":"Augie","path":"/AugieBot","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/26911405?s=80&v=4"},"commit":{"message":"pack/ee/create.go: copy keygenGo1.19 crypto to preserve secretseed\n\nThe changes adopted in Go 1.20 crypto are welcome, but unfortunately\nbreak our existing mapping of secretseed to upspinkey. In the worst\ncase an upspin user who lost everything but their paper-backup\nsecretseed would be very sad and not consoled by Go 1.20 fixing a\npotential timing side-channel attack. So we'll keep using the older\nvariant of elliptic curve key generation, until the coming migration\nto post-quantum-crypto algorithms.\n\nFor additional context, see golang issue #58637. Filippo's ECDSALegacy\nmentioned there does not retain the compatibility we need, though\nit would have been ok for us had we adopted it back at the dawn of\nupspin time. But I found that copying just few lines from Go pre-1.20\nmeets our needs for now.\n\nI see from key.upspin.io/log that a number of people have generated\nkeys since November 2022 when Go 1.20 came along. If reviewers\nagree, once the dust settles from this CL I'll email those recent\naddresses to warn that their secretseeds may have been caught by\nthis bug and they need to save their *.upspinkey files or update\ntheir copy of upspin and rotate to new keys.\n\nA minor change in upspin/main.go avoids a test failure from duplicate\nnewline argument to Println.\n\nThis whole discovery of a secretseed problem was prompted by Github\nDependabot nagging me about unrelated old vulnerable x/net and\nx/crypto that we required in go.mod. So I let \"go mod tidy\" bring\nus up to date on dependencies as well.\n\nIn cmd/upspin/ and pack/ee, go test and go vet pass. My system\ndoesn't have a working fuse, so if someone with a more mainstream\nsystem can do a full go test that would be appreciated. Not likely\nthat I've broken anything by copying our needed part of Go 1.19, but\nconceivably we have other hidden bugs from Go version or the updated\ndependencies.\n\nFixes #647\n\nChange-Id: Ib4462da69e7ce6a10694c861783f2e8f449df034\nReviewed-on: https://upspin-review.googlesource.com/c/upspin/+/19841\nReviewed-by: Andrew Gerrand <adg@google.com>","shortMessageHtmlLink":"pack/ee/create.go: copy keygenGo1.19 crypto to preserve secretseed"}}],"hasNextPage":false,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAENZy7CgA","startCursor":null,"endCursor":null}},"title":"Activity · upspin/upspin"}